Creating Directory Entries

The following procedures document how to create the entries in the directory to support a virtual host. The procedures show you how to create ldif files to use with ldapmodify to make the entries, but you may use the Deja tool instead. At the end of the section, there is an example ldif file with all of the entries you would make if you follow each procedure.

The examples in the procedures use the most complicated case: a virtual host with its own, unique set of subscribers who have personal directories for web and FTP content. The configuration you use may be less complicated, and may not require all of these procedures.

You only need to create these directory entries if you need to authenticate subscribers against the directory. If subscribers never authenticate with the FTP or web server (or any other service you may add that authenticates users against the directory), you do not need special entries in the directory.

The examples in the procedure will assume the following sample data:

• There is a virtual domain called smallorg.com.

• There is one virtual host in the domain, www.smallorg.com (111.112.113.14) , which subscribers use for web site content.

• The site is also configured as a Sun Internet FTP Server virtual FTP site so that users may upload content using FTP.

• The virtual domain is for an organization with multiple subscribers.

• Subscribers are authenticated only in the virtual domain, not as subscribers to the main ISP organization.

• The root directory of the virtual FTP site and web site is /var/hosts/smallorg/public/.

• Each subscriber has a directory directly beneath the root directory (/var/hosts/smallorg/public/username/).

• The name of the hosting ISP is "myISP," and it is represented in the OSI tree in the directory as the naming context o=myISP,c=US.

Entries in the DC Tree

The entries in the DC tree allow services to map the virtual host DNS name to an area in the OSI tree where service configuration and subscriber data is stored.

By default, the DC tree contains a top level dc=com node representing the .com top-level DNS domain. Each host is represented by a chain of dc nodes that are children of the top node. For example, www.sun.com would be represented as dc=www,dc=sun,dc=com.

If you need to add hosts that are not in the .com domain, you will need to create another naming context (for example, a top-level dc=net node). See "Adding More Top-level Domains" for more help with creating a new naming context.

To Create the Domain in the DC Tree

1. Determine the name of each virtual host subscribers may authenticate on.

   You only need to configure the hosts that will use the directory to authenticate users.

   In this example, we will use one host: www.smallorg.com

2. If there is no naming context for the top-level domain for the virtual host, create one.

   You can view the current naming contexts using Deja or by using the web gateway (if it is enabled) .

   If there is no dc=com domain, for example, you will need to create one before www.smallorg.com can be added. See "Adding More Top-level Domains" for more help with creating a new naming context.

3. Determine the distinguished name (dn) of the node in the OSI that contains the subscribers who use this host. This will be the associatedName attribute on the dc entry for the host.

   This example assumes that the domain smallorg.com has its own unique set of subscribers. The entries may not exist in the directory yet, but they will be created later. The dn in the OSI tree will be ou=SmallOrg,o=myISP,c=US.

4. Create a text file for the ldif entries.

   For example, /tmp/smallorg.ldif.

5. For each dc node you need to add, create an ldif entry naming the dn (dc=name), the objectclass (domain), dc, and the associatedName in the OSI tree.

   For our example, we need to add dc nodes for smallorg (beneath com) and www (beneath smallorg). The dc=www node needs to point to the proper place in the OSI tree so that the correct users can log in to that host.

   dn: dc=smallorg,dc=com
   dc: smallorg
   objectclass: domain
   
   dn: dc=www,dc=smallorg,dc=com
   dc: www
   objectclass: domain
   associatedname: ou=SmallOrg,o=myISP,c=US

6. Save the file.

7. You may run ldapadd now to add the entries, or continue with the other procedures and add all of the required ldif entries to the file first.

   To run ldapadd on the host where the Solaris ISP Server directory server is running:

   % cd /opt/SUNWconn/bin % ./ldapadd -D cn=admin,o=myISP,c=US -w secret -f /tmp/smallorg.ldif

8. Continue with the procedure in "Entries in the OSI Tree".

Entries in the OSI Tree

The OSI tree must contain entries for the subscribers who will be authenticated on the virtual host.

The virtual host or virtual domain does not need to have its own set of subscribers; the virtual host services can authenticate users against the general ISP subscriber base. If you wish to have users authenticated against the general ISP subscriber base, make the associatedName attribute on the dc entries in the DC tree point to the top DN in the OSI tree (for example, ou=myIsp,c=US).

If you create a new domain in the OSI tree, you need to create an organizationalUnit (ou) node naming the domain with an associatedDomain attribute that points to the proper domain or host name in the DC tree. Below the virtual domain ou, you need to create ou nodes for People (to contain ispSubscriber entries), Groups, and Services (to contain ispService entries). Populating the People and Services portions of the tree is explained in "Entries for Users for the Domain" and "Entries for Services in the Domain" below.

The procedure below uses a virtual host with its own set of subscribers. Since these subscribers are unique to the virtual domain, we need to create an ou node in the OSI tree for the domain and set its associatedDomain attribute to the name of the virtual domain in the DC tree.

To Create the Domain in the OSI Tree

1. Determine the distinguished name for the domain in the OSI tree. The distinguished name includes the ou node for the domain, and all of the parents of that node in the tree.

   In this procedure we will create a domain directly below a top distinguished name of o=myISP,c=US. The dn of the domain is ou=SmallOrg,o=MyISP,c=US.

   Since we have only one host in the example, we could be more specific and use ou=www,ou=SmallOrg,o=MyISP,c=US. By only specifying the domain, it is possible to add more virtual hosts to the domain later that use the same subscribers (for example, if mail.smallorg.com is created later).

2. Determine the dn of the virtual host in the DC tree. This will be used in the associatedDomain attribute.

   For example, dc=smallorg,dc=com.

3. Create a text file for the ldif entries.

   For example, /tmp/smallorg.ldif.

4. Create an ldif entry for the domain specifying the dn, its object class attributes, the ou, and the associatedDomain.

   The object classes are always organizationalUnit and domainRelatedObject.

   For this example, dn=ou=SmallOrg,o=MyISP,c=US and the associatedDomain is smallorg.com (note that the associatedDomain is specified as a domain name and not as a distinguished name).

   Here is what would be entered into the ldif file:

   dn: ou=SmallOrg,o=MyISP,c=US
   ou: SmallOrg
   associatedDomain: smallorg.com
   objectClass: organizationalUnit
   objectClass: domainRelatedObject
   objectClass: top

5. Create ldif entries for the People, Groups, and Services nodes in the domain.

   These nodes all have organizationalUnit object classes, and are used to contain other data for the virtual domain.

   The following would be added to the end of the example ldif file:

   dn: ou=People,ou=SmallOrg,o=MyISP,c=US
   ou: People
   objectClass: organizationalUnit
   
   dn: ou=Groups,ou=SmallOrg,o=MyISP,c=US
   ou: Groups
   objectClass: organizationalUnit
   
   dn: ou=Services,ou=SmallOrg,o=MyISP,c=US
   ou: Services
   objectClass: organizationalUnit

6. Save the file.

7. You may run ldapadd now to add the entries, or continue with the other procedures and add all of the required ldif entries to the file first.

   To run ldapadd on the host where the Solaris ISP Server directory server is running:

   % cd /opt/SUNWconn/bin % ./ldapadd -D cn=admin,o=myISP,c=US -w secret -f /tmp/smallorg.ldif

Entries for Users for the Domain

After you create the domain in the OSI tree, you can add entries for the users of that domain below the ou=People node. For detailed information on creating users, see Chapter 5, Making Subscriber Directory Entries.

The ispSubscriber attributes specific to the virtual host are ispContentDirectory and ispAuthorizedServices.

ispContentDirectory specifies the user's directory on the virtual host. The directory is relative to the value of the ispDirectoryRoot of the service the user accesses (see "Entries for Services in the Domain" for information on this attribute). The ispContentDirectory is used by the Sun Internet FTP Server and the Sun WebServer to determine where to store content that a user puts on the virtual host.

If a virtual host only has one authorized user (an administrative account for a hosted web site, for example), you may wish to create a single subscriber in the domain who only has access to the web site directory. In this case, the ispContentDirectory could be "/" to indicate that when the user logs in to the Sun Internet FTP Server his or her root directory will be the ispDirectoryRoot of the FTP site.

ispAuthorizedServices specifies the distinguished names of services in the virtual domain that the user can access (if authentication is required). An example dn value for this attribute is ispVersion=2.1,ou=SUNWhttp,ou=Services,ou=SmallOrg,o=MyISP,c=US.

The following example shows an ldif entry for a subscriber that could be part of the www.smallorg.com domain described in other sections:

dn: cn=John Doe (jdoe),ou=People,ou=SmallOrg,o=MyISP,c=US
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ispSubscriber
cn: John Doe
sn: Doe
givenName: John
userId: jdoe
userPassword: secret
uidNumber: 19995
gidNumber: 101
ispContentDirectory: jdoe/public_html
ispauthorizedServices: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US
mail: jdoe@myisp.com

Entries for Services in the Domain

Each service that the users in the virtual domain can log in to requires an ispService entry beneath the ou=Services node in the domain. The only service bundled with the Solaris ISP Server software that can authenticate users in virtual domains is Sun Internet FTP Server, so that is the only service covered in this section.

The Sun WebServer uses the ispDirectoryRoot of a Sun Internet FTP Server entry to determine where to store or find user personal content. If users have personal web site directories, create an ispService entry for a Sun Internet FTP Server service even if a virtual FTP site has not been created.

To Create a Sun Internet FTP Server Service Entry

1. Determine the directory root used by the Sun Internet FTP Server or Sun WebServer service on the virtual host.

   This example will use /var/hosts/smallorg/public/. Beneath this directory there may be a ./pub directory for anonymous FTP, web site content, and user directories in ./username/public_html.

2. Create a text file for the ldif entries.

   For example, /tmp/smallorg.ldif.

3. Add an ou entry for SUNWftp to the Services node for the domain.

   dn: ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US
   ou: SUNWftp
   objectClass: organizationalUnit

4. Add an ispService entry beneath the SUNWftp entry. The dn of this entry is the ispVersion attribute plus the dn of the SUNWftp entry you just added.

   The ispVersion attribute is always "1.0."

   dn: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US
   ispVersion: 1.0
   cn: SUNWftp
   objectClass: ispService
   ispDirectoryRoot: /var/hosts/smallorg/public

5. Save the file.

6. Run ldapadd now to add the entries.

   To run ldapadd on the host where the Solaris ISP Server directory server is running:

   % cd /opt/SUNWconn/bin % ./ldapadd -D cn=admin,o=myISP,c=US -w secret -f /tmp/smallorg.ldif

Example ldif File

For reference, the listing below shows the complete contents of an ldif file with all of the example entries used in this Appendix:

Example A-1 Complete ldif File to Add a Virtual Host

dn: dc=smallorg,dc=com
dc: smallorg
objectClass: domain

dn: dc=www,dc=smallorg,dc=com
dc: www
objectClass: domain
associatedName: ou=SmallOrg,o=myISP,c=US

dn: ou=SmallOrg,o=MyISP,c=US
ou: SmallOrg
associatedDomain: smallorg.com
objectClass: organizationalUnit
objectClass: domainRelatedObject
objectClass: top

dn: ou=People,ou=SmallOrg,o=MyISP,c=US
ou: People
objectClass: organizationalUnit

dn: ou=Groups,ou=SmallOrg,o=MyISP,c=US
ou: Groups
objectClass: organizationalUnit

dn: ou=Services,ou=SmallOrg,o=MyISP,c=US
ou: Services
objectClass: organizationalUnit
dn: cn=John Doe (jdoe),ou=People,ou=SmallOrg,o=MyISP,c=US
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ispSubscriber
cn: John Doe
sn: Doe
givenName: John
userId: jdoe
userPassword: secret
uidNumber: 19995
gidNumber: 101
ispContentDirectory: jdoe/public_html
ispauthorizedServices: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US
mail: jdoe@myisp.com

dn: ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US
ou: SUNWftp
objectClass: organizationalUnit

dn: ispVersion=1.0,ou=SUNWftp,ou=Services,ou=SmallOrg,o=MyISP,c=US
ispVersion: 1.0
cn: SUNWftp
objectClass: ispService
ispDirectoryRoot: /var/hosts/smallorg/public